Vulnerabilities > CVE-2008-5844 - Configuration vulnerability in PHP 5.2.7

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
php
CWE-16
nessus

Summary

PHP 5.2.7 contains an incorrect change to the FILTER_UNSAFE_RAW functionality, and unintentionally disables magic_quotes_gpc regardless of the actual magic_quotes_gpc setting, which might make it easier for context-dependent attackers to conduct SQL injection attacks and unspecified other attacks.

Vulnerable Configurations

Part Description Count
Application
Php
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201001-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201001-03 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Impact : A context-dependent attacker could execute arbitrary code via a specially crafted string containing an HTML entity when the mbstring extension is enabled. Furthermore a remote attacker could execute arbitrary code via a specially crafted GD graphics file. A remote attacker could also cause a Denial of Service via a malformed string passed to the json_decode() function, via a specially crafted ZIP file passed to the php_zip_make_relative_path() function, via a malformed JPEG image passed to the exif_read_data() function, or via temporary file exhaustion. It is also possible for an attacker to spoof certificates, bypass various safe_mode and open_basedir restrictions when certain criteria are met, perform Cross-site scripting attacks, more easily perform SQL injection attacks, manipulate settings of other virtual hosts on the same server via a malicious .htaccess entry when running on Apache, disclose memory portions, and write arbitrary files via a specially crafted ZIP archive. Some vulnerabilities with unknown impact and attack vectors have been reported as well. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id44892
    published2010-02-25
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44892
    titleGLSA-201001-03 : PHP: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201001-03.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44892);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:45");
    
      script_cve_id("CVE-2008-5498", "CVE-2008-5514", "CVE-2008-5557", "CVE-2008-5624", "CVE-2008-5625", "CVE-2008-5658", "CVE-2008-5814", "CVE-2008-5844", "CVE-2008-7002", "CVE-2009-0754", "CVE-2009-1271", "CVE-2009-1272", "CVE-2009-2626", "CVE-2009-2687", "CVE-2009-3291", "CVE-2009-3292", "CVE-2009-3293", "CVE-2009-3546", "CVE-2009-3557", "CVE-2009-3558", "CVE-2009-4017", "CVE-2009-4142", "CVE-2009-4143");
      script_bugtraq_id(32625, 32948, 32958, 33002, 33542, 35440, 36449, 36712, 37079, 37390);
      script_xref(name:"GLSA", value:"201001-03");
    
      script_name(english:"GLSA-201001-03 : PHP: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201001-03
    (PHP: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in PHP. Please review the
        CVE identifiers referenced below and the associated PHP release notes
        for details.
      
    Impact :
    
        A context-dependent attacker could execute arbitrary code via a
        specially crafted string containing an HTML entity when the mbstring
        extension is enabled. Furthermore a remote attacker could execute
        arbitrary code via a specially crafted GD graphics file.
        A remote attacker could also cause a Denial of Service via a malformed
        string passed to the json_decode() function, via a specially crafted
        ZIP file passed to the php_zip_make_relative_path() function, via a
        malformed JPEG image passed to the exif_read_data() function, or via
        temporary file exhaustion. It is also possible for an attacker to spoof
        certificates, bypass various safe_mode and open_basedir restrictions
        when certain criteria are met, perform Cross-site scripting attacks,
        more easily perform SQL injection attacks, manipulate settings of other
        virtual hosts on the same server via a malicious .htaccess entry when
        running on Apache, disclose memory portions, and write arbitrary files
        via a specially crafted ZIP archive. Some vulnerabilities with unknown
        impact and attack vectors have been reported as well.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200911-03"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201001-03"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All PHP users should upgrade to the latest version. As PHP is
        statically linked against a vulnerable version of the c-client library
        when the imap or kolab USE flag is enabled (GLSA 200911-03), users
        should upgrade net-libs/c-client beforehand:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-libs/c-client-2007e'
        # emerge --ask --oneshot --verbose '>=dev-lang/php-5.2.12'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(16, 20, 22, 79, 119, 134, 200, 264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:php");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/01/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/25");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-lang/php", unaffected:make_list("ge 5.2.12"), vulnerable:make_list("lt 5.2.12"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PHP");
    }
    
  • NASL familyCGI abuses
    NASL idPHP_5_2_8.NASL
    descriptionAccording to its banner, the version of PHP installed on the remote host is earlier than 5.2.8. As such, it is potentially affected by the following vulnerabilities : - PHP fails to properly sanitize error messages of arbitrary HTML or script code, would code allow for cross-site scripting attacks if PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id35067
    published2008-12-09
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35067
    titlePHP < 5.2.8 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35067);
      script_version("1.18");
      script_cvs_date("Date: 2018/11/15 20:50:18");
    
      script_cve_id("CVE-2008-5814", "CVE-2008-5844");
      script_bugtraq_id(32673);
    
      script_name(english:"PHP < 5.2.8 Multiple Vulnerabilities");
      script_summary(english:"Checks version of PHP");
     
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote web server uses a version of PHP that may be affected by
    multiple vulnerabilities."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "According to its banner, the version of PHP installed on the remote
    host is earlier than 5.2.8.  As such, it is potentially affected by
    the following vulnerabilities :
    
      - PHP fails to properly sanitize error messages of
        arbitrary HTML or script code, would code allow for 
        cross-site scripting attacks if PHP's 'display_errors' 
        setting is enabled. (CVE-2008-5814)
    
      - Version 5.2.7 introduced a regression with regard to
        'magic_quotes' functionality due to an incorrect fix to 
        the filter extension.  As a result, the 
        'magic_quotes_gpc' setting remains off even if it is set 
        to on. (CVE-2008-5844)"
      );
      script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=42718");
      script_set_attribute(attribute:"see_also", value:"http://www.php.net/releases/5_2_8.php");
      script_set_attribute(attribute:"solution", value:"Upgrade to PHP version 5.2.8 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(16, 79);
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/09");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
    
      script_dependencies("php_version.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP");
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("audit.inc");
    include("webapp_func.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    php = get_php_from_kb(
      port : port,
      exit_on_fail : TRUE
    );
    
    version = php["ver"];
    source = php["src"];
    
    backported = get_kb_item('www/php/'+port+'/'+version+'/backported');
    
    if (report_paranoia < 2 && backported)
      audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");
    
    if (
      version =~ "^[0-4]\." ||
      version =~ "^5\.[01]\." ||
      version =~ "^5\.2\.[0-7]($|[^0-9])"
    )
    {
      set_kb_item(name:"www/"+port+"/XSS", value:TRUE);
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source     : '+source +
          '\n  Installed version  : '+version+
          '\n  Fixed version      : 5.2.8\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_1F9E2376C52F11DD8CBC00163E000016.NASL
    descriptionPHP Developers reports : Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where magic_quotes_gpc is enabled, because it remains off even when set to on.
    last seen2020-06-01
    modified2020-06-02
    plugin id35050
    published2008-12-08
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35050
    titleFreeBSD : php5 -- potential magic_quotes_gpc vulnerability (1f9e2376-c52f-11dd-8cbc-00163e000016)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35050);
      script_version("1.12");
      script_cvs_date("Date: 2019/08/02 13:32:39");
    
      script_cve_id("CVE-2008-5844");
    
      script_name(english:"FreeBSD : php5 -- potential magic_quotes_gpc vulnerability (1f9e2376-c52f-11dd-8cbc-00163e000016)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "PHP Developers reports :
    
    Due to a security bug found in the PHP 5.2.7 release, it has been
    removed from distribution. The bug affects configurations where
    magic_quotes_gpc is enabled, because it remains off even when set to
    on."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.php.net/archive/2008.php#id2008-12-07-1"
      );
      # https://vuxml.freebsd.org/freebsd/1f9e2376-c52f-11dd-8cbc-00163e000016.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a4c002fb"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(16);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/12/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/08");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"php5<5.2.8")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Seebug

bulletinFamilyexploit
descriptionCVE(CAN) ID: CVE-2008-5844 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 PHP 5.2.7错误地更改了FILTER_UNSAFE_RAW功能,无论实际的magic_quotes_gpc设置如何都可能无意中禁用magic_quotes_gpc。根据设计unsafe_raw过滤器应可选的剥离或转义特殊字符,该过滤器失效可能允许攻击者相对容易的执行SQL注入等攻击。 PHP 5.2.7 厂商补丁: PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://ookoo.org/svn/snip/php_5_2-broken_filter_and_magic_quotes.patch target=_blank rel=external nofollow>http://ookoo.org/svn/snip/php_5_2-broken_filter_and_magic_quotes.patch</a>
idSSV:4624
last seen2017-11-19
modified2009-01-06
published2009-01-06
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-4624
titlePHP FILTER_UNSAFE_RAW过滤器失效漏洞

Statements

contributorTomas Hoger
lastmodified2009-01-23
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of the php package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, and with Red Hat Application Stack v1 and v2. Only PHP version 5.2.7 was affected by this flaw.